False Negative: CVE-2025-11579 / GHSA-rwvp-r38j-9rgg / GO-2025-4020 #3095
Description
Vulnerability ID:
CVE-2025-11579
GHSA-rwvp-r38j-9rgg
GO-2025-4020
Package URL or steps to reproduce:
grype pkg:go-module/github.com/nwaples/rardecode@1.1.3An example of this can be seen when comparing the scan results of the Grype binary from the v0.104.0 release:
Using Grype CLI with the latest version of the database:
$ grype file:grype-0_104_0
✔ Indexed file system grype-0_104_0
✔ Cataloged contents 15c20320b86c5ecd6177c366646de20fa63383daeec159febc19da723c82756c
├── ✔ Packages [301 packages]
├── ✔ Executables [1 executables]
├── ✔ File digests [1 files]
└── ✔ File metadata [1 locations]
✔ Scanned for vulnerabilities [4 vulnerability matches]
├── by severity: 0 critical, 2 high, 2 medium, 0 low, 0 negligible
NAME INSTALLED FIXED IN TYPE VULNERABILITY SEVERITY EPSS RISK
golang.org/x/crypto v0.44.0 0.45.0 go-module GHSA-j5w8-q4qc-rx2x Medium < 0.1% (24th) < 0.1
golang.org/x/crypto v0.44.0 0.45.0 go-module GHSA-f6x5-jh6r-wrfv Medium < 0.1% (15th) < 0.1
github.com/anchore/grype v0.104.0 0.104.1 go-module GHSA-6gxw-85q2-q646 High < 0.1% (3rd) < 0.1
stdlib go1.25.4 1.24.11, 1.25.5 go-module CVE-2025-61729 High < 0.1% (1st) < 0.1Using govulncheck:
$ govulncheck -mode binary grype-0_104_0
govulncheck -scan module -mode binary grype-0_104_0
=== Module Results ===
Vulnerability #1: GO-2025-4175
Improper application of excluded DNS name constraints when verifying
wildcard names in crypto/x509
More info: https://pkg.go.dev/vuln/GO-2025-4175
Standard library
Found in: stdlib@go1.25.4
Fixed in: stdlib@go1.25.5
Vulnerability #2: GO-2025-4160
Grype has a credential disclosure vulnerability in its JSON output in
github.com/anchore/grype
More info: https://pkg.go.dev/vuln/GO-2025-4160
Module: github.com/anchore/grype
Found in: github.com/anchore/grype@v0.104.0
Fixed in: github.com/anchore/grype@v0.104.1
Vulnerability #3: GO-2025-4155
Excessive resource consumption when printing error string for host
certificate validation in crypto/x509
More info: https://pkg.go.dev/vuln/GO-2025-4155
Standard library
Found in: stdlib@go1.25.4
Fixed in: stdlib@go1.25.5
Vulnerability #4: GO-2025-4135
Malformed constraint may cause denial of service in
golang.org/x/crypto/ssh/agent
More info: https://pkg.go.dev/vuln/GO-2025-4135
Module: golang.org/x/crypto
Found in: golang.org/x/crypto@v0.44.0
Fixed in: golang.org/x/crypto@v0.45.0
Vulnerability #5: GO-2025-4134
Unbounded memory consumption in golang.org/x/crypto/ssh
More info: https://pkg.go.dev/vuln/GO-2025-4134
Module: golang.org/x/crypto
Found in: golang.org/x/crypto@v0.44.0
Fixed in: golang.org/x/crypto@v0.45.0
Vulnerability #6: GO-2025-4020
DoS risk due to unrestricted RAR dictionary sizes in
github.com/nwaples/rardecode
More info: https://pkg.go.dev/vuln/GO-2025-4020
Module: github.com/nwaples/rardecode
Found in: github.com/nwaples/rardecode@v1.1.3
Fixed in: N/AAnything else we need to know?:
@willmurphyscode @kzantow This was the example I was referencing during the community office hours call as the motivation for considering the addition of the Go Vulnerability Database as a provider in Vunnel.
Looking at the report for GO-2025-4020, it identifies both github.com/nwaples/rardecode and github.com/nwaples/rardecode/v2 as impacted, where as it seems the other sources only identify github.com/nwaples/rardecode/v2 as impacted.
Environment:
- Output of
grype version:
Application: grype
Version: 0.104.1
BuildDate: 2025-11-24T15:34:29Z
GitCommit: Homebrew
GitDescription: [not provided]
Platform: darwin/arm64
GoVersion: go1.25.4
Compiler: gc
Syft Version: v1.38.0
Supported DB Schema: 6- OS (e.g:
cat /etc/os-releaseor similar): macOS 26.1
Metadata
Metadata
Assignees
Labels
Type
Projects
Status